Skillv1.1.0

ClawScan security

oc-doctor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 10, 2026, 1:03 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and behavior are consistent with a local OpenClaw health-check tool — it reads local OpenClaw files and runs openclaw/jq commands and the scope and privileges requested are proportionate to that purpose.
Guidance: This skill appears coherent and local-only, but before installing or running: 1) confirm you trust the skill source (README points to a GitHub repo); 2) review which local files will be read (openclaw.json, models.json, sessions.json, workspace .md, logs) and back them up if needed; 3) be aware that diagnostic output is included in LLM conversation context — sensitive values might be redacted but verify redaction on a small test first; 4) grant fixes only after reviewing the proposed changes (batch-fix can modify config/files); and 5) prefer installing from the official repo or a vetted registry to avoid supply-chain risk.

Review Dimensions

Purpose & Capability: okName/description match the actions: the skill needs openclaw and jq and reads OpenClaw config, sessions, models, workspace files to produce diagnostics. The single included shell script is a local data-collector used by the LLM analysis, which is coherent with the stated purpose.
Instruction Scope: noteSKILL.md instructs the agent to run openclaw commands and read many OpenClaw files (openclaw.json, models.json, sessions.json, workspace .md, logs, cron configs) — all within the stated diagnostic scope. One notable instruction is language inference that explicitly says to check recent conversation history and workspace file content; this expands the data the agent may access (conversation context and workspace files) for language detection and could surface sensitive context into the LLM conversation. The skill states fixes will only run with explicit confirmation, which limits surprise modifications.
Install Mechanism: okNo install spec is provided (instruction-only plus a single included script). No network downloads or archive extraction occur as part of the skill bundle itself, so installation risk is low — risk depends on how the user obtains the skill (e.g., cloning from an external repo).
Credentials: noteThe skill does not request credentials or additional environment variables beyond an optional OPENCLAW_HOME. It does read local files that can contain sensitive values (models.json, sessions.json, workspace files). The README/SKILL.md claims secrets are redacted in reports (first 8 chars + ...), which is reasonable, but users should verify redaction behavior before sharing outputs beyond their machine.
Persistence & Privilege: okThe skill is not force-included (always: false) and does not request persistent system-level privileges. The included script declares no writes and the SKILL.md states modifications happen only after explicit confirmation. Autonomous invocation is allowed by default (disable-model-invocation: false) which is normal for skills; combined with the limited local scope this is acceptable.